Source Code Dark Fall New Dawn Cheats - Information

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
Game Name
Dark Fall New Dawn
Anticheat
N/A
How long you been coding/hacking?
7 years
Coding Language
C++
PwnedDepot was working on this game and I decided to check it out for a few days. PwnedDepot made a DarkFall FlyHack

He sent me his cheat table so I could get started on this game and I'm gonna share my information in this thread as I find it.

Darkfall New Dawn is a remake of the original Darkfall. New Dawn came out a few weeks ago Free To Play alpha basically

Engine: Spenefett
DarkFall.exe is small 32bit program written in C++ that loads SFMiddleWare.DLL that eventually loads Java modules that actually is the game logic.

Darkfall.exe loads SFMiddleWare.dll which are both easily disassembled and decompiled with IDA.
It uses Direct3D graphics and the FModex library for audio.
The game does call IsDebuggerPresent
Set Cheat Engine to VEH debugger or patch the IsDebuggerPresent which I might work on in a minute. Until you patch it you can't use IDA to debug the game :(

It's basically impossible to find pointers due to the dynamic nature of the Java Virtual Machine, but I do see that sfmiddleware.dll imports NI_CreateJavaVM and we can probably hook that to find the address of individual java modules which we can then calculate offsets from similar to what I did in OpenArena

Data Files:
C:\Program Files (x86)\Darkfall New Dawn\data

SF = Spenefett and prefixes many of their files.
The .sfad files are supposedly just modifed .bzip2 compressed files. Maybe the .sfai is like a key/index for the other files.
If we could decompress these files we would see all the java modules and textures etc...

This is a cheat engine script to grab the writeable position vector of your local player, PwnedDepot sent me his original which I owe great thanks because it saved me some time to get started. I made some minor alterations.

If you turn this script "pos" now points to the dynamic position vector of your local player.
C++:
[ENABLE]
registersymbol(pos)
alloc(newmem,2048)
alloc(pos,4)

label(returnhere)
label(originalcode)
label(exit)

SFMiddleWare.DLL+892fe0:
jmp newmem
nop
returnhere:

newmem:
// place your code here
push eax
lea eax,[ecx]
add eax, 4
mov [pos],eax
pop eax

originalcode:
mov eax,[ecx+2C]
mov [ecx+04], eax
exit:
jmp returnhere

[DISABLE]
//unregistersymbol(pos)
//dealloc(pos)
dealloc(newmem)

SFMiddleWare.DLL+892fe0:
mov eax,[ecx+2C]
mov [ecx+04], eax
The pattern for SFMiddleWare.DLL+892fe0 is:
C++:
code:
\x8b\x41\x00\x89\x41\x00\x8b\x41\x00\x89\x41\x00\x8b\x41\x00\x89\x41\x00\x8b\x41\x00\x89\x41\x00\x8b\x41\x00\x89\x41\x00\x8b\x41\x00\x89\x41\x00\x8b\x41\x00\x89\x41\x00\x8b\x41\x00\x89\x41\x00\x8b\x41\x00\x89\x41\x00\x8b\x41\x00\x89\x41\x00\xc3 xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?xx?x
IDA:
8b 41 ? 89 41 ? 8b 41 ? 89 41 ? 8b 41 ? 89 41 ? 8b 41 ? 89 41 ? 8b 41 ? 89 41 ? 8b 41 ? 89 41 ? 8b 41 ? 89 41 ? 8b 41 ? 89 41 ? 8b 41 ? 89 41 ? 8b 41 ? 89 41 ? c3
When you find this pattern you have to hook the location and grab the value held in ECX and add 0x4 to it to get the location of pos.x just like in the cheat engine assembler script

This is a reclass I made for this dynamicly located "movement" structure, currently trying to trace back from this to some other local player shit
You can assign it to the address found by using the CE assembler script:

C++:
class position
{
public:
	float pos.x; //0x0000 
	float pos.z; //0x0004 
	float pos.y; //0x0008 
	float velocity.x; //0x000C 
	float velocity.z; //0x0010 
	float velocity.y; //0x0014 
	char pad_0x0018[0xC]; //0x0018
	float unknown; //0x0024 
	float pos2.x; //0x0028 
	float pos2.z; //0x002C 
	float pos2.y; //0x0030 
	float velocity2.x; //0x0034 
	float velocityz.y; //0x0038 
	float velocity2.z; //0x003C 
	char pad_0x0040[0x10]; //0x0040
	__int32 MovementBitfield; //0x0050 
	char pad_0x0054[0x50]; //0x0054
	__int32 WierdMovement; //0x00A4 
char pad_0x00A8[0x4]; //0x00A8

};//Size=0x00AC
That's all I got for now :)
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
Josh Phillips who presented the "Hacking MMORPGs for Fun and Profit" at Defcon with the Glider developer wrote several articles on DarkFall

https://ra1ndog.wordpress.com/2009/05/22/java-reversing/
https://ra1ndog.wordpress.com/2009/07/11/jvmti-agent/
https://ra1ndog.wordpress.com/2010/03/18/df-progress/

He wrote a DarkFall file extractor library that is now offline
https://ra1ndog.wordpress.com/2009/05/28/sfad-extractor/

but it is based off this python script
https://raw.githubusercontent.com/kinghussien/df_modelviewer/master/dfextract.py

It will extract all the files but the java class files have a second level of encryption

Here is a Darkfall Emulator with full source code for researching purposes:
https://github.com/kinghussien/darkfall_emu
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
Ok that python script does work with Python 2xx, just change
for x in xrange(0,15):
to
for x in xrange(0,12):

But the java class files are using a different compression algorithm or are encrypted beyond just the bz2
But we can view some relative information from the emulator source code
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371


Game runs fine, therefore IsDebuggerPresent is not the issue stopping CheatEngine and IDA from attaching.
PwnedDepot will you attach IDA to darkfall and set a breakpoint on SFMiddleWare.DLL+892fe0 and tell me if your shit crashes and which debugger you used
 

PwndDepot

I has a status
Dank Tier VIP
Trump Tier Donator
Dank Tier Donator
Nov 5, 2014
239
7,748
19
Rake;43773 said:


Game runs fine, therefore IsDebuggerPresent is not the issue stopping CheatEngine and IDA from attaching.
PwnedDepot will you attach IDA to darkfall and set a breakpoint on SFMiddleWare.DLL+892fe0 and tell me if your shit crashes and which debugger you used
Crashed using local windows debugger for me.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
Loads of ways to detect a generic debugger

IsDebuggerPresent
manually checking PEB flag
Setting trap flag , then trying to catch your own exception
simply trying to catch your own exception ( not a double-typo )
NtQueryInformationProcess -- Debug class cant remember what its called
and more
 

Pixels

Newbie
Full Member
Dec 31, 2017
5
22
0
Anything planned for release that is less than a month away for new dawn Rake?
 

Pixels

Newbie
Full Member
Dec 31, 2017
5
22
0
New Dawn is releasing in less than a month. Anyone here knows if there's any hacks available or that will release? I miss the flying/teleport hacks from darkfall 1 and so far I have only heard of small groups keeping their hacks to themselves :FeelsBadMan:
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
Please don't crosspost, I merged your posts into this thread. No sorry no plans for this game
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Similar threads

Community Mods